KYRO Customer Data Processing Addendum

This Data Processing Addendum (this "DPA") supplements and forms part of the Subscription Services Agreement or other agreement between Customer and KYRO about the provision of Services by KYRO to Customer ("Agreement") when Data Protection Law applies to Customer’s access and use of the Services to Process Customer Personal Data (defined below).

Customer enters into this DPA on behalf of itself and, to the extent required under applicable law, in the name of and on behalf of its Data Controller Affiliates (defined below) ("Customer"). For the purposes of this DPA only, and except as otherwise indicated, the term "Customer" shall include Customer and Data Controller Affiliates.

1.    Data Processing

1.1. Scope and Roles. This DPA applies when Customer Personal Data is processed by KYRO under applicable Data Protection Law. In this context, where the law provides for the roles of “controller” and “processor,” Customer is the Controller of the Customer Personal Data covered by this DPA, and KYRO shall be a Processor Processing Customer Personal Data on behalf of Customer and this DPA shall apply accordingly.

1.2. Details of Data Processing.

1.2.1. Subject matter. The subject matter of the data Processing under this DPA is Customer Personal Data.
1.2.1. Duration. Theduration of the Processing under this DPA is determined by the Agreement.Regardless of whether the Agreement has terminated or expired, this DPA willremain in effect until, and automatically expire when, KYRO deletes oranonymizes all Customer Personal Data as described in the Agreement.
1.2.3. Purpose. The purpose of the processing under the DPA is the provision of the Services by KYRO to Customer as specified in the Agreement.
1.2.4. Nature of the Processing. Customer Personal data is processed by KYRO in connection with the Services under the Agreement and/or any applicable Order.
1.2.5. Categories of Data Subjects. The Data Subjects of Customer which may include Customers’ Authorized Users, employees, contractors, suppliers, or other third parties whose Personal Data is uploaded by Customer for use in connection with the Services.
1.2.6. Categories of data. Identifiers (contact detail including name, email, phone number and addresses); Employment Data (professional data, contact details, hours worked, site access); Internet and Network Activity Data (such as IP addresses, log files, and login information); Geolocation Data (such as region, country, state, postal code, or location information derived from IP addresses); and other Personal Data that Customer or its Authorized Users elect to submit to the Services.
1.2.7. Special categories of data (if appropriate). KYRO and/or its Subprocessors do not intentionally collect or process any special categories of data in connection with the provision of the Services under the Agreements. However, Customer or its Affiliates may choose to include this type of data within content that the Customer instructs KYRO to process on its behalf.

1.3. Compliance with the laws. Each party will comply with all laws, rules and regulations applicable to it and binding on it in the performance of this DPA.
1.4. Jurisdiction specific terms. Certain jurisdictions require other specific terms. Where required under applicable Data Protection Law, this DPA fully incorporates the applicable Jurisdiction Specific Terms available at https://kyro.ai/legal/jurisdiction-specific-terms.

2. Documented Instructions.

2.1. Customer Instructions. Customer shall, in its use of the Services, at all times provide documented instructions to KYRO for the Processing of Customer Personal Data, in compliance with applicable Data Protection Law. The Parties agree that this DPA and the Agreement constitute Customer’s documented instructions regarding KYRO’s Processing of Customer Personal Data (“Documented Instructions”). KYRO will Process Customer Personal Data in accordance with Customer’s Documented Instructions. Additional instructions outside the scope of the Documented Instructions (if any) require prior written agreement between KYRO and Customer, including agreement on any additional fees payable by Customer to KYRO for carrying out such instructions.
2.2. Obligations and Indemnity. Customer shall ensure that its Documented Instructions comply with all laws, rules and regulations applicable to the Customer Personal Data, and that the Processing of Customer Personal Data per Customer's Documented Instructions will not cause KYRO to be in breach of applicable Data Protection Law. Customer is solely responsible for the accuracy, quality, and legality of (a) the Customer Personal Data provided to KYRO by or on behalf of Customer; (b) how Customer acquired any such Customer Personal Data (e.g., appropriate notice and/or consent); and (c) the Documented Instructions it provides to KYRO regarding the Processing of such Personal Data. Customer shall not provide or make available to KYRO any Personal Data in violation of the Agreement, this DPA, or otherwise inappropriate for the nature of the Services and shall indemnify KYRO from all claims and losses in connection therewith.

3. Confidentiality of Customer Personal Data. KYRO will not access or use, or disclose to any third party, any Customer Personal Data, except, in each case, as necessary to maintain or provide the Services, or as necessary to comply with the law, a Public Authority Request and/or a valid and binding order of a governmental body (such as a subpoena or court order). If a governmental body sends KYRO a demand for Customer Personal Data, KYRO will attempt to redirect the governmental body to request that data directly from Customer. As part of this effort, KYRO may provide Customer’s basic contact information to the governmental body. If compelled to disclose Customer Personal Data to a governmental body, then KYRO will give Customer reasonable notice of the demand to allow Customer to seek a protective order or other appropriate remedy unless KYRO is legally prohibited from doing so.
4. Authorized persons. KYRO shall ensure that all persons authorized to Process Customer Personal Data on behalf of KYRO are made aware of the confidential nature of the Customer Personal Data, and have committed themselves to confidentiality (e.g. by confidentiality agreements) or are under an appropriate statutory obligation of confidentiality.
5. Authorized Subprocessors. Customer hereby generally authorizes KYRO to engage Subprocessors in accordance with this Section 5. Customer approves the Subprocessors currently disclosed in Appendix A. KYRO may remove, replace, or appoint suitable and reliable Subprocessors, provided that KYRO shall maintain an up-to-date list of its Subprocessors on KYRO’s website at https://kyro.ai/legal/subprocessors. KYRO will provide Customer with an opportunity to object to any change in its Subprocessors where required under applicable Data Protection Law.

5.1. Objections. If the Customer reasonably objects to the engagement of a new Subprocessor, KYRO shall have the right to cure the objection through one of the following options (to be selected at KYRO’s sole discretion): (a) KYRO cancels its plans to use the Subprocessor with regard to Customer Personal Data; (b) KYRO will take the corrective steps requested by Customer in its objection (which removes Customer's objection) and proceed to use the Subprocessor with regard to Customer Personal Data; (c) KYRO may cease to provide or Customer may agree not to use (temporarily or permanently) the particular aspect of the Service that would involve the use of such Subprocessor with regard to Customer Personal Data; and (d) KYRO provides Customer with a written description of commercially reasonable alternative(s), if any, to such engagement, including without limitation modification to the Services. If KYRO, in its sole discretion, cannot provide any such alternative(s), or if Customer does not agree to any such alternative(s) if provided, KYRO and Customer may terminate this DPA with prior written notice, or suspend the affected Services. Termination shall not relieve Customer of any fees or charges owed to KYRO for Services provided up to the effective date of the termination under the Agreement. In the event that KYRO elects to suspend Customer’s access to and use of affected Services, such suspension shall relieve Customer of any fees or charges owed to KYRO for such Services after the effective date of the suspension. If Customer does not object to a new Subprocessor's engagement within ten (10) days of notice by KYRO, that new Subprocessor shall be deemed accepted.
5.2. Subprocessor Obligations. Where KYRO authorizes a Subprocessor as described in Section 5.1:

5.2.1. KYRO will restrict the Subprocessor’s access to Customer Personal Data only to what is necessary to provide or maintain the Services in accordance with the Documentation, and KYRO will prohibit the Subprocessor from accessing Customer Personal Data for any other purpose;
5.2.2. KYRO will enter into a written agreement with the Subprocessor and, to the extent that the Subprocessor performs the same data processing services provided by KYRO under this DPA, KYRO will impose on the Subprocessor the same contractual obligations that KYRO has under this DPA; and
5.2.3. KYRO will remain responsible for its compliance with the obligations of this DPA and for any acts or omissions of the Subprocessor that cause KYRO to breach any of KYRO obligations under this DPA.

6. Security; Audits; Personal Data Breach; Impact Assessments.

6.1. Security. KYRO’s provision of the Services will be consistent with the measures described in Appendix B.

6.1.1. Updates to KYRO Security Controls. Customer is responsible for reviewing the information made available by KYRO relating to data security and making an independent determination as to whether the Security Controls set forth in Section 6.1, above, meet Customer’s requirements and legal obligations under applicable law. Customer acknowledges that the Security Controls are subject to technical progress and development and that KYRO may update or modify the Security Controls from time to time provided that such updates and modifications do not materially degrade the overall security of the Services during the Subscription Term.

6.2. Confidential Security Reports and Audits. For the duration of its processing of Customer Personal Data, KYRO will maintain compliance with appropriate security standards for its industry Upon request, KYRO shall, no more than once per calendar year make available for Customer’s review, a summary copy of an audit report(s) ("Report") that reflects such compliance, a request may be made by emailing [email protected]. Customer acknowledges and agrees that such Reports are KYRO’s Confidential Information KYRO shall also provide a requesting Customer with a Report and/or confirmation of KYRO's own audits and/or a report of third party auditors' audits of its Subprocessors that have been provided by those Subprocessors to KYRO, to the extent such reports or evidence may be shared with Customer ("Third-party Subprocessor Audit Reports"). Customer acknowledges that (a) Reports and Third-party Subprocessor Audit Reports shall be considered Confidential Information as well as confidential information of the third-party Subprocessor and (b) certain third-party Subprocessors to KYRO may require Customer to execute a non-disclosure agreement with them in order to view a Third-party Subprocessor Audit Report.
6.3. Personal Data Breach. In the event of a Personal Data Breach, except where prohibited by law, KYRO shall notify Customer without undue delay and otherwise respond as described in 6.3.1 below. In addition, KYRO shall, taking into account the nature of the Processing and the information available to KYRO assist Customer in ensuring compliance with its obligations under applicable Data Protection Law to conduct a data protection impact assessment and, with prior notice, to assist with consultations with the Competent Supervisory Authority (defined below), where required.

6.3.1. Practices. KYRO does and will (a) maintain and follow a documented incident response plan and associated procedures consistent with industry standards for Personal Data Breach handling; (b) investigate Personal Data Breach of which KYRO becomes aware, and, within the scope of the Services, and take such steps as KYRO in its sole discretion deems necessary and reasonable to remediate such Personal Data Breach; and (c) notify Customer without undue delay upon confirmation of a Personal Data Breach that is known or reasonably suspected by KYRO to affect Customer Personal Data, and provide Customer with reasonably requested information about such Personal Data Breach and the status of the remediation and restoration activities. The obligations herein shall not apply to a Personal Data Breach caused by Customer, Customer’s Authorized Users or misuse of Customer’s Access Credentials. KYRO’s obligation to report or respond to a Personal Data Breach under this Section 6 is not and will not be construed as an acknowledgement by KYRO of any fault or liability of KYRO with respect to the Personal Data Breach.

7. KYRO Assistance with Data Subject Requests. KYRO will inform Customer of requests from Data Subjects exercising their Data Subject rights under applicable Data Protection Law (e.g., including but not limited to rectification, deletion and blocking of data) addressed directly to KYRO regarding Customer Personal Data. Customer shall be responsible for handling such requests of Data Subjects. Upon a written request for assistance by Customer, KYRO will reasonably assist Customer with handling such Data Subject requests. KYRO may charge Customer no more than a reasonable charge to perform such assistance, and such charges will be set forth in a quote and agreed in writing by the Parties, or as set forth in the Agreement. If Customer does not agree to the quote, the Parties agree to reasonably cooperate to find a feasible solution.
8. International Transfers of Personal Data

8.1. U.S. Based Processing; Notification of Changes. Customer acknowledges and agrees that KYRO may transfer and process Customer Personal Data to and in the United States and anywhere else in the world where KYRO, its Affiliates, or its Subprocessors maintain data processing operations. KYRO shall ensure that such transfers are made in compliance with applicable Data Protection Law and this DPA.
8.2. Data Transfers from the European Economic Area. KYRO complies with the EU-U.S. Data Privacy Framework (EU-U.S. DPF), the UK-US Data Bridge Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF) as set forth by the U.S. Department of Commerce.  KYRO has certified to the U.S. Department of Commerce that it adheres to the EU-U.S. Data Privacy Framework Principles (EU-U.S. DPF Principles) with regard to the processing of personal data received from the European Union in reliance on the EU-U.S. DPF and from the United Kingdom (and Gibraltar) in reliance on the UK-US Data Bridge.  KYRO has certified to the U.S. Department of Commerce that it adheres to the Swiss-U.S. Data Privacy Framework Principles (Swiss-U.S. DPF Principles) with regard to the processing of personal data received from Switzerland in reliance on the Swiss-U.S. DPF. If there is any conflict between the terms in this DPA and the EU-U.S. DPF Principles and/or the Swiss-U.S. DPF Principles, the Principles shall govern. To learn more about the Data Privacy Framework (DPF) program, and to view our certification, please visit https://www.dataprivacyframework.gov/.
8.3. Alternative Transfer Mechanisms. If necessary, KYRO may designate a valid Alternative Transfer Mechanism to any mechanism designated in this DPA, such as when necessary for the performance of Services pursuant to the Agreement or on Customer’s Documented Instructions.
8.4. Explicit Consent and Notice. Customer shall bear sole responsibility for obtaining its Authorized User’s and/or Data Subjects’ informed and explicit consent prior to the transfer of any Customer Personal Data to KYRO in a manner consistent with the applicable Data Protection Law. If, at any time, an Authorized User and/or Data Subject withdraws any consent given pursuant to this Subsection, Customer shall immediately inform KYRO in writing at [email protected] and cease use and collection of Customer Personal Data related to such objecting Authorized User and/or Data Subject. Customer shall keep an electronic record of all consents given, and any consents withdrawn, by Authorized Users and/or Data Subjects and shall make such records available to KYRO upon request as required by law.

9. Effect of Termination.

9.1. Upon termination or expiration of the Agreement, KYRO shall (at Customer's written request) anonymize all Customer Personal Data in its possession or control. This requirement shall not apply to the extent KYRO is required by applicable law to retain some or all of the Customer Personal Data.
9.2. Customer acknowledges that the Services are used as a system of record and that data uploaded to the Services is required to be retained under applicable laws for the establishment, exercise or defense of legal claims. As an equivalent to deletion, KYRO shall permanently and securely anonymise Customer Personal Data to the extent no individual could be identified.

10. Indemnification by Customer. To the maximum extent permitted by applicable law and in addition to any other remedy that is available, including the indemnities provided in the Agreement, Customer agrees to defend, indemnify and hold harmless KYRO, its Affiliates and KYRO’s Subprocessors, including their respective officers, directors, employees, agents, successors, representatives, agents, resellers and assigns (each, a "KYRO Indemnitee") from and against any and all Losses resulting from Customer’s violation of this DPA and/or the infringement or violation by Customer, its Authorized Users or any other user of Customer’s Access Credentials, of any privacy or other right of any person under applicable Data Protection Law.
11. Limitation of Liability

11.1. Exclusion of Damages. UNDER NO CIRCUMSTANCES AND REGARDLESS OF THE NATURE OF ANY ACTION SHALL THE KYRO INDEMNITEES BE LIABLE, DIRECTLY OR INDIRECTLY, IN WHOLE OR IN PART, TO CUSTOMER OR TO ANY OTHER PERSON OR ENTITY FOR ANY LOSSES OR LOSS, DAMAGE, CORRUPTION OR RECOVERY OF CUSTOMER PERSONAL DATA ARISING FROM OR RELATING TO CUSTOMER’S BREACH OF ITS OBLIGATIONS IN THIS DPA.
11.2. Limitation of Liability. Each Party’s and all of its Affiliates’ liability, taken together in the aggregate, arising out of or related to this DPA, and all DPAs between Customer and its Data Controller Affiliates and KYRO, whether in contract, tort or under any other theory of liability, is subject to the "Limitation of Liability" section of the Agreement and the applicable cap (maximum) for the relevant party set forth in the Agreement. Any reference in such section to the liability of a party means the aggregate liability of that party and all of its Affiliates under the Agreement and all DPAs together. For the avoidance of doubt, the KYRO Indemnitees’ total liability for all Actions by Customer and all of Customers Affiliates (including Data Controller Affiliates) arising out of or related to the Agreement and all DPAs shall apply in the aggregate for all claims under both the Agreement and all DPAs established under the Agreement, and, in particular, shall not be understood to apply individually and severally to Customer and/or to any Customer Affiliate that is a contractual party to any such DPA. To the extent required by applicable law, (a) this section is not intended to modify or limit the Parties’ liability for Data Subject claims made against a Party where there is joint and several liability under Data Protection Law, or (b) limit either Party’s responsibility to pay penalties imposed on such Party by a regulatory authority.

12. Survival of the DPA. This DPA will continue in force until the termination of the Agreement (the "Termination Date"), provided that the data protection obligations of this DPA and the SCCs shall continue to apply for so long as KYRO processes Customer Personal Data.
13. Severance. Should any provision of this DPA be invalid or unenforceable, then the remainder of this DPA shall remain valid and in force. The invalid or unenforceable provision shall be either (a) amended as necessary to ensure its validity and enforceability, while preserving the parties’ intentions as closely as possible or, if this is not possible, (b) construed in a manner as if the invalid or unenforceable part had never been contained therein.
14. Entire Agreement; Order of Precedence. Except as supplemented by this DPA, the Agreement will remain in full force and effect. Any conflict between the terms of the Agreement and this DPA related to the processing of Customer Personal Data are resolved in the following order of priority: (1) the Standard Contractual Clauses, where applicable; (2) the DPA; and (3) the Agreement.
15. Definitions. Unless otherwise defined in the Agreement, all capitalized terms used in this DPA will have the meanings given to them below:

15.1. "Access Credentials" means any user name, identification number, password, license or security key, security token, PIN, or other security code, method, technology, or device used, alone or in combination, to verify an individual’s identity and authorization to access and use the Services.
15.2. "Action" means any claim, action, cause of action, demand, lawsuit, arbitration, inquiry, audit, notice of violation, proceeding, litigation, citation, summons, subpoena, or investigation of any nature, civil, criminal, administrative, regulatory, or other, whether at law, in equity, or otherwise.
15.3. "Affiliates", "Customer Data", "KYRO", and "Services" shall each have the meaning ascribed to it in the Agreement.
15.4. "Alternative Transfer Mechanism" means an alternative Personal Data export solution that has been approved pursuant to applicable Data Protection Law. This can include Binding Corporate Rules, any new version of or successor to the SCCs, or an existing certification mechanism adopted pursuant to applicable Data Protection Law for the international transfer of Personal Data.
15.5. “Competent Supervisory Authority'' means (i) the supervisory authority applicable to the data exporter in its EEA country of establishment or, (ii) where the data exporter is not established in the EEA, the supervisory authority applicable in the EEA country where the data exporter's EU representative has been appointed pursuant to Article 27(1) of the GDPR, or (iii) where the data exporter is not obliged to appoint a representative, the supervisory authority applicable to the EEA country where the data subjects relevant to the transfer are located. With respect to Personal Data to which the UK GDPR applies, the competent supervisory authority is the Information Commissioner's Office. With respect to Personal Data to which the Swiss DPA applies, the competent supervisory authority is the Swiss Federal Data Protection and Information Commissioner.
15.6. "Controller" means the entity that determines as a legal person alone or jointly with others the purposes and means of the Processing of Personal Data. Unless otherwise specified, Controller or "data exporter" refers to Customer.
15.7. "Customer", as used on this DPA, shall include Customer (as defined in the Agreement) and its Data Controller Affiliates.
15.8. "Customer Personal Data" means Customer Data submitted to KYRO for Processing in connection with the Services pursuant to the Agreement, which contains Personal Data.
15.9. "Data Controller Affiliates" means any of Customer's Affiliates that have not signed or otherwise accepted their own Order with KYRO and therefore would not be a "customer" as defined under the Agreement but is an entity which is: (i) subject to Data Protection Law; and (ii) permitted to use the KYRO Services pursuant to the Agreement between Customer and KYRO. For the avoidance of doubt, no third-party beneficiaries are intended.
15.10. "Data Protection Law" means any data protection and privacy laws and regulations that are applicable to the processing of Customer Personal Data by KYRO, including, where applicable, the laws listed in KYRO’s Jurisdiction Specific Terms, as may be amended, superseded or replaced from time to time.
15.11. "Data Subject" means the identified or identifiable person to whom Customer Personal Data relates.
15.12. "Documented Instructions" has the meaning ascribed in Subsection 2.1 of this DPA.
15.13. "Europe" means the European Economic Area and Switzerland.
15.14. "GDPR " means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of Personal Data and on the free movement of such data and repealing of Directive 95/46/EC (General Data Protection Regulation).
15.15. "including" and its derivatives mean "including but not limited to."
15.16. "Losses" means any and all losses, damages, deficiencies, claims, actions, judgments, settlements, interest, awards, penalties, fines, costs, or expenses of whatever kind, including reasonable attorneys’ fees, expert witness fees, settlement amounts, and the costs of enforcing any right to indemnification hereunder and the cost of pursuing any insurance providers.
15.17. "Personal Data" means any data that relates to an identified or identifiable natural person, to the extent that such information is protected under applicable Data Protection Law.
15.18. "Personal Data Breach" means a breach of security which results in the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Customer Personal Data Processed by KYRO or KYRO’s Subprocessors.
15.19. "KYRO Indemnitee" shall have the meaning ascribed to it in Section 11, above.
15.20. "Processing" (unless defined differently under applicable Data Protection Law) means any operation or set of operations which is performed upon Personal Data, manually or automatically, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction.
15.21. "Processor" means an entity which Processes Personal Data on behalf of the Controller pursuant to the Agreement. Processor or "data importer" in this DPA refers to KYRO.
15.22. "Public Authority Request" means a government agency or law enforcement authority, including a judicial authority request for information.
15.23. "Services" means KYRO’s Services as set forth in the Agreement.
15.24. "Standard Contractual Clauses" or "SCCs" means : (i) where the GDPR applies the contractual clauses annexed to the European Commission's Implementing Decision 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council (the "EU SCCs"); (ii) where the UK GDPR applies, the applicable standard data protection clauses adopted pursuant to Article 46(2)(c) or (d) of the UK GDPR (the "UK SCCs"); and (iii) where the Swiss DPA applies, the applicable standard data protection clauses issued, approved or otherwise recognized by the Swiss Federal Data Protection and Information Commissioner ("FDPIC")(the "Swiss SCCs").
15.25. "Subprocessor" means any Processor engaged by KYRO to assist in processing Customer Personal Data in connection with the Services per Customer’s Documented Instructions under the terms of the Agreement and this DPA. Subprocessors may include KYRO’s Affiliates, but shall exclude KYRO employees, contractors, and consultants.
15.26. "UK GDPR" means the UK General Data Protection Regulation, as retained in UK law by the European Union (Withdrawal) Act 2018 and renamed by the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2020 and the UK's Data Protection Act 2018.

Appendix A - List of KYRO Subprocessors
A current list of KYRO’s Subprocessors is available at https://kyro.ai/legal/subprocessors

Appendix B - Technical and Organizational Security Measures
Information on KYRO’s technical and organization security measures is available at
https://kyro.ai/legal/technical-and-organizational-security-measures